commit b0857e7b9d1c998178cbea2df3bd232b8039518d
parent 88548abf29f8fe7f5e633874026fbf6cd839628e
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 23 Dec 2025 15:16:45 +0900
success mastodon validation
Diffstat:
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/pkg/taldir/oidc_validator.go b/pkg/taldir/oidc_validator.go
@@ -63,6 +63,9 @@ type OidcValidator struct {
// Scope(s)
scope string
+ // Claim that is the alias
+ aliasClaimName string
+
// Redirect URI
redirectURI string
@@ -126,7 +129,7 @@ func (t OidcValidator) IsAliasValid(alias string) (err error) {
func (t OidcValidator) ValidateAliasSubject(tokenString string, expectedAlias string) error {
- var relevantClaims RelevantUserClaims
+ var relevantClaims map[string]interface{}
req, err := http.NewRequest("GET", t.userinfoEndpoint, nil)
if err != nil {
return fmt.Errorf("failed to create userinfo request")
@@ -144,8 +147,9 @@ func (t OidcValidator) ValidateAliasSubject(tokenString string, expectedAlias st
if err != nil {
return fmt.Errorf("unable to parse userinfo response")
}
- if relevantClaims.Sub != expectedAlias {
- return fmt.Errorf("subject in ID token (%s) does not match state (%s)", relevantClaims.Sub, expectedAlias)
+ aliasClaim := relevantClaims[t.aliasClaimName]
+ if aliasClaim != expectedAlias {
+ return fmt.Errorf("subject in ID token (%s) does not match state (%s)", aliasClaim, expectedAlias)
}
return nil
}
@@ -218,6 +222,7 @@ func makeOidcValidator(cfg *TaldirConfig, name string, landingPageTpl *template.
userinfoEndpoint: sec.Key("userinfo_endpoint").MustString(""),
authorizationEndpoint: sec.Key("authorization_endpoint").MustString(""),
validAliasRegex: sec.Key("valid_alias_regex").MustString(""),
+ aliasClaimName: sec.Key("alias_claim").MustString("sub"),
redirectURI: redirectURI,
authorizationsState: make(map[string]*AuthorizationsState, 0),
}
